Hi, I was checking fwupd (which is in the dla-needed list) and the security tracker indicates CVE-2022-3287 [1] as affecting bullseye. After checking the vulnerability and the upstream repo, I was able to determine that the vulnerable code was only introduced in 1.7.0 [2] and actually used in 1.7.4 [3]. Effectively meaning our binaries packages are only vulnerable after 1.7.4-1.
I did open a merge request to update the security tracker [4] and I'd like to ask FD to remove it from dla-needed file. Cheers, Charles [1] https://security-tracker.debian.org/tracker/CVE-2022-3287 [2] https://github.com/fwupd/fwupd/commit/33a24c77b7dfc73c9f105f992274c8f042a5318b [3] https://github.com/fwupd/fwupd/commit/22057f76cc1929e3064c38d3e3cecc19c3a80fcb [4] https://salsa.debian.org/security-tracker-team/security-tracker/-/merge_requests/209
signature.asc
Description: PGP signature
